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1. Mechanism for securing data access of a first subscriber 
(11) or a plurality of subscribers (12... 14), which are 
arranged in a first subnetwork (20) of an automation network 
(1) , to a second subscriber (15) or a plurality of subscribers 
(10, 11), which are arranged in a second subnetwork of the 
automation network (1) , comprising at least one so-called 
secure switch (16, 24, 26), which is connected upstream of the 
first subscriber (11) or subscribers (12...14) of the first 
subnetwork (20) , for establishing what is known as a tunnel 
(29, 30) to the second subscriber (15) or subscribers (10, 11) 
of the second subnetwork, by which data can be securely 
transmitted via an insecure network, wherein the secure switch 
(16, 24, 26) is constructed as an Ethernet switch and at least 
one port (17, 25, 28) is constructed as a layer 3 port for 
producing a tunnel end point in accordance with the IPsec 
protocol and wherein the secure switch (16, 24, 26) 
establishes the tunnel in a substitutional manner for the 
first subscriber (11) or in a substitutional manner for the 
subscribers (12... 14) of the first subnetwork (20) and 
allocates the tunnel to the subscriber or subscribers by using 
the respective subscriber address. 

2. Mechanism according to claim 1, characterized in that a 
configuration tool (11) is provided for configuring the 
automation network (1) , by which parameter data of the secure 
switch (16, 24, 26) can automatically be generated and 
transmitted to the secure switch. 

3 . Mechanism according to either claim 1 or claim 2 , 
characterized in that the secure switch (40) has at least one 
port (47, 49, 50) which is constructed as a WLAN end point and 
is capable of producing a tunnel end point. 
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4. Mechanism according to any one of the preceding claims, 
characterized in that the secure switch is constructionally 
suitable for use in an automation system. 

5. Mechanism according to any one of the preceding claims, 
characterized in that a port (45) capable of producing a 
tunnel end point can be distinguished from other ports 
(41... 44) of the secure switch (40) by a marking. 

6. Mechanism according to claim 5, characterized in that the 
marking can be changed over. 

7. Coupling device, referred to as a secure switch, for 
securing data access of a first subscriber or a plurality of 
subscribers, which are arranged in a first subnetwork of an 
automation network, to a second subscriber or a plurality of 
subscribers which are arranged in a second subnetwork of the 
automation network, wherein the secure switch can be connected 
upstream of the first subscriber or subscribers of the first 
subnetwork, wherein the secure switch (16, 24, 26) is 
constructed as an Ethernet switch and at least one port (17, 
25, 28) is constructed as a layer 3 port for producing a 
tunnel end point in accordance with the IPsec protocol and 
wherein the secure switch (16, 24, 2 6) comprises a device 

(46) , referred to as a secure channel converter, for 
establishing what is known as a tunnel to the second 
subscriber or subscribers of the second subnetwork, by which 
data can be securely transmitted via an insecure network, 
wherein the tunnel can be established in a substitutional 
manner for the first subscriber or subscribers of the first 
subnetwork and can be allocated to the subscriber or 
subscribers by using the respective subscriber address. 
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